Overview OpenCart’s user management system allows you to create multiple admin users with granular permissions, ensuring secure access control for your team. You can also manage API users for programmatic access to your store.
Access user management from System → Users in the admin panel.
Admin Users User Structure Admin users are defined with authentication credentials and permission groups.
// From user.php model (system/library/cart/user.php) namespace Opencart\System\Library\Cart ; class User { protected int $user_id = 0 ; protected string $username = '' ; protected int $user_group_id = 0 ; protected array $permission = []; public function login ( string $username , string $password ) : bool { $user_query = $this -> db -> query ( " SELECT * FROM `" . DB_PREFIX . "user` WHERE LCASE(`username`) = '" . $this -> db -> escape ( oc_strtolower ( $username )) . "' AND `status` = '1'" ); if ( $user_query -> num_rows && password_verify ( $password , $user_query -> row [ 'password' ])) { $this -> user_id = $user_query -> row [ 'user_id' ]; $this -> username = $user_query -> row [ 'username' ]; $this -> user_group_id = $user_query -> row [ 'user_group_id' ]; return true ; } return false ; } }
Creating Admin Users
Add New User
Navigate to System → Users → Users and click Add New . Required Fields: $user_data = [ 'username' => 'john.doe' , // Login username 'user_group_id' => 1 , // Permission group 'firstname' => 'John' , 'lastname' => 'Doe' , 'email' => '[email protected] ' , 'image' => 'path/to/avatar.jpg' , 'status' => 1 // 1 = Enabled, 0 = Disabled ];
Set Password
Create a strong password following security best practices. Passwords are hashed using PHP’s password_hash() with the default algorithm (bcrypt).
Assign User Group
Select a user group that defines permissions (e.g., Administrator, Manager, Developer).
Activate User
Enable the user account to allow login access.
User Fields
Unique identifier for login. Cannot be changed after creation.
Determines access permissions. Users inherit all permissions from their assigned group.
Used for password recovery and notifications. Must be unique.
Optional profile picture displayed in admin header.
Enable (1) or disable (0) user account. Disabled users cannot log in.
User Groups and Permissions Permission System OpenCart uses a two-tier permission system: Access and Modify .
// From user_permission.php model namespace Opencart\Admin\Model\User ; class UserGroup extends \Opencart\System\Engine\ Model { public function addUserGroup ( array $data ) : int { $this -> db -> query ( " INSERT INTO `" . DB_PREFIX . "user_group` SET `name` = '" . $this -> db -> escape ( $data [ 'name' ]) . "', `permission` = '" . $this -> db -> escape ( isset ( $data [ 'permission' ]) ? json_encode ( $data [ 'permission' ]) : '' ) . "'" ); return $this -> db -> getLastId (); } }
Permission Types
Access Permission Allows viewing specific admin pages and sections. User can see data but cannot make changes.
Modify Permission Allows creating, editing, and deleting data. Always requires corresponding Access permission.
Creating User Groups
Add User Group
Navigate to System → Users → User Groups and click Add New . Example groups:
Administrator - Full access to all featuresManager - Catalog and order management onlySupport - View orders and customer dataDeveloper - Design and extension management
Configure Access Permissions
Select pages users can view: $access_permissions = [ 'catalog/product' , 'catalog/category' , 'sale/order' , 'customer/customer' , // ... more routes ];
Configure Modify Permissions
Select pages where users can make changes: $modify_permissions = [ 'catalog/product' , // Can add/edit/delete products 'sale/order' , // Can update order status // ... subset of access permissions ];
Common Permission Sets Administrator
Store Manager
Customer Support
Developer
Access: All routesModify: All routesFull control over the entire admin panel.
Access:
catalog/* (all catalog pages)
sale/order
customer/customer
marketing/*
Modify:
catalog/product
catalog/category
sale/order (status updates)
marketing/coupon
Can manage products, orders, and marketing campaigns. Access:
sale/order
customer/customer
customer/customer_approval
sale/returns
Modify:
sale/order (status only)
sale/returns
Can view orders and customers, update statuses, manage returns. Access:
design/*
marketplace/*
tool/*
Modify:
design/theme
design/layout
marketplace/extension
Can manage themes, layouts, and extensions. API Users API Authentication API users allow programmatic access to your store via REST API.
// From api.php controller namespace Opencart\Admin\Controller\User ; class Api extends \Opencart\System\Engine\ Controller { public function index () : void { $this -> load -> model ( 'user/api' ); // API users with session tokens $results = $this -> model_user_api -> getApis (); } }
Creating API Users
Add API User
Navigate to System → Users → API and click Add New . $api_data = [ 'username' => 'mobile_app' , 'key' => $this -> generateApiKey (), // Secure random key 'status' => 1 , 'date_added' => date ( 'Y-m-d H:i:s' ), 'date_modified' => date ( 'Y-m-d H:i:s' ) ];
Configure IP Restrictions
Add allowed IP addresses for security. $api_ips = [ [ 'ip' => '192.168.1.100' ], // Office IP [ 'ip' => '10.0.0.50' ], // Server IP ];
Leave IP list empty to allow access from any IP (not recommended for production).
Generate API Key
OpenCart generates a unique API key (token) for authentication. Store this key securely - it won’t be shown again.
Using API Keys // API authentication example $api_key = 'your-api-key-here' ; $store_url = 'https://yourstore.com' ; // Step 1: Create session $ch = curl_init (); curl_setopt ( $ch , CURLOPT_URL , $store_url . '/index.php?route=api/login' ); curl_setopt ( $ch , CURLOPT_RETURNTRANSFER , 1 ); curl_setopt ( $ch , CURLOPT_POST , 1 ); curl_setopt ( $ch , CURLOPT_POSTFIELDS , http_build_query ([ 'key' => $api_key ])); $response = curl_exec ( $ch ); $data = json_decode ( $response , true ); $api_token = $data [ 'api_token' ]; // Step 2: Use token for requests curl_setopt ( $ch , CURLOPT_URL , $store_url . '/index.php?route=api/cart/add&api_token=' . $api_token ); curl_setopt ( $ch , CURLOPT_POSTFIELDS , http_build_query ([ 'product_id' => 42 , 'quantity' => 1 ])); $result = curl_exec ( $ch ); curl_close ( $ch );
Profile Management Editing Your Profile Admin users can update their own profile information.
// From profile.php controller namespace Opencart\Admin\Controller\User ; class Profile extends \Opencart\System\Engine\ Controller { public function edit () : void { $this -> load -> model ( 'user/user' ); // Users can update their own details $user_info = $this -> model_user_user -> getUser ( $this -> user -> getId ()); // Can modify: firstname, lastname, email, image, password // Cannot modify: username, user_group_id (requires admin) } }
Access your profile by clicking your username in the top-right corner of the admin panel.
Changing Passwords
Navigate to Profile
Click your username → Edit Profile .
Enter New Password
Provide a strong password meeting these criteria:
Minimum 8 characters
Mix of uppercase and lowercase
Include numbers and symbols
Avoid common words or patterns
Confirm Password
Re-enter the password to confirm.
Save Changes
Your password is immediately updated and you’ll need to use it on next login.
Security Best Practices
Principle of Least Privilege Grant users only the permissions they need. Create specific user groups for different roles.
Strong Passwords Enforce complex passwords. Change default passwords immediately after installation.
Regular Audits Review user accounts and permissions quarterly. Remove inactive users.
API IP Restrictions Always restrict API access to known IP addresses in production environments.
Two-Factor Authentication Install a 2FA extension for additional login security (available in marketplace).
Session Timeout Configure session timeout in settings to automatically log out inactive users.
Troubleshooting
Cannot Log In After Password Change
Clear browser cookies and cache. Ensure the password was saved correctly by resetting it again through the database if needed. -- Reset password directly in database (use PHP password_hash) UPDATE oc_user SET password = '$2y$10$...' WHERE username = 'admin' ;
User Group Permissions Not Working
Verify both Access AND Modify permissions are set. Clear cache and log out/in again.
API Authentication Failing
Check:
API status is enabled
IP address is in allowed list (or list is empty)
API key is correct
Session token hasn’t expired (tokens expire after 1 hour)
Store Settings Configure session and security settings
API Reference Complete API documentation for developers
Extensions Install security extensions like 2FA
